Author Archives: Steve Prentice

Hybridization

When discussing migration to the cloud, the use of hybrid cloud and all other cloud-related issues, people generally place the focus on the technology itself. What sometimes gets overlooked is the group of individuals who are — or at least, should be — responsible for the precise and successful integration of cloud into a company’s lifecycle. Many people should be sitting at the table for this discussion.

Because the cloud is largely an IT issue, many companies like to defer the entire package to the IT department. But the IT people should not be the only ones involved. Cloud is just too big, and too all-encompassing, for any one group to shoulder the responsibility. Most IT managers would readily agree to this.

Roundtable Specialists

To this end, an organization should consider a roundtable of specialists, carefully chosen and capable of contributing their particular expertise to the ongoing policy of cloud integration. Ideally, this group should consist of the following, listed in no particular order:

A project manager.A qualified individual who can create and update a project plan and timeline, and make it available to the entire team. A project such as cloud migration requires competent and professional oversight.

People who understand the terminology.There is a great deal of new and sometimes confusing terminology that can offset, delay or just obscure the migration project. This individual must be capable of clearly understanding and translating cloud terminology to the rest of the group, using strategic language.

A person or people capable of identifying, researching and interviewing trustworthy cloud service providers, and creating and maintaining an updatable database of existing suppliers.

People who have a direct connection to the end user, both internal and external. If cloud-based technologies result in a change in performance or usability, then the team needs individuals who can oversee and guide this transition, and most importantly who can listen to the end users.

A coordinator of shadow IT. Given that most IT departments are already very busy, a shadow IT department, or project-specific group, may be required. Such a team must integrate with the existing IT matrix to ensure clear communication and collaboration, and to balance loads as needed.

A cloud security specialist.Cloud security is a slightly different animal from regular IT security. Cloud security professionals work in conjunction with internal IT security, but are becoming more specialized and certified, in order to deal with the ever-increasing number of threats. This type of specialist could be an external vendor or an internal employee.

A cloud backup/transition specialist. Numerous experts in the cloud field recommend that migrations happen over a series of steps, rather than a general move, and that there always be an “Undo” option that allows quick backtracking to a previously saved state, should something go awry.

A real-time metrics analyst.In the age of cloud, real-time data is king. Cloud-based applications – from customer-facing commerce through to back-end administration – need to be carefully monitored, using the easily available data that digital technology provides.

A specialist in comparative intelligence. Cloud and its related online digital technologies change very quickly. The competitive, global economy allows for new companies to enter the race, sometimes offering a better, more sophisticated approach to sales, fulfilment and every other element of commerce. An individual tasked with the role of constantly observing the competition in the field is essential.

An HR or training specialist.New technologies bring change into an organization. Employees do not always welcome change. In some cases, they will resist and even try to sabotage new techniques that cause fear and insecurity. The specialist from HR or corporate training is an essential player at the table to ensure that new developments are introduced and massaged into the organizational culture, comfortably and proactively.

A neutral mentor.Mentors are an important component of individual professional success, and they should also be part of a company’s ongoing life. A neutral guide sitting at the table can provide wisdom, experience and advice, while not holding a vested interest.

Cloud-savvy legal advice.The global nature of cloud serves up a large palette of legal issues, ranging from compliance to content, and demands up-to-date awareness and guidance.

This makes for a very large table indeed. It is not necessary for these and other members of management to physically sit at an actual table, but it does require ongoing and regular communication even if done virtually. A large team is still manageable, especially when each individual has their specific, clearly defined role. This will allow for the clarification of some obvious but often overlooked must-haves, such as the organization’s mandate of what “cloud” actually means.

With so much of a company’s life force moving to the cloud, this small, coordinated army of specialists is critical in advising senior management in every area of cloud strategy.

The Cloud Security Challenge

The use of the term “cloud” to describe global, offsite, computing and storage technology is apt for a number of reasons; not all of them good. The metaphor succeeds largely when people visualize their data hovering over their heads, no longer tied to a single location, and consequently easy to access from anywhere. But there are other parallels with actual meteorological clouds, specifically their soft, amorphous shape. This causes problems in perception and definition, which naturally lead to potential difficulties with security.

David Shearer, CEO of cyber, information, software and infrastructure security certification and education body (ISC)2, points out that the enthusiasm or pressure that companies feel to build their businesses quickly into the cloud can potentially lead to a fundamental weakness. “The easier it becomes to purchase cloud solutions,” he says, “the easier it is for organizations to get ahead of themselves. Business lines within a company can easily acquire cloud-based services, and the fast time to acquire and provision cloud services is extremely attractive. Any organization would be crazy not to take advantage of that.” Shearer points out, however, that when a company elects to leverage cloud solutions and services, management needs to be smart about it; and part of that includes proper and continuous security measures:

“As recently as a few years ago, security was looked at as a hindrance; something that got in the way. In these situations, sometimes bad things needed to happen for people to pay attention. In the C-suite, if nothing else, CEOs and CxOs are losing their jobs for a perceived lack of due diligence and lack of strategy to protect a corporation’s intellectual property or personally identifiable information – and that gets people’s attention. Increasingly, what is needed is better communication between those actually responsible for making security work, and the C-suite.”

In addition to the lack of clear comprehension of cloud in the executive office, there is also a similar disconnect throughout other levels of business.

Defining The Cloud

Adam Gordon is an author, subject matter expert and instructor at (ISC)2. He illustrates a significant challenge to cloud security being the definition of cloud itself. “There’s a great interest in anything and everything cloud,” he says, “but the problem is, as individuals and as businesses, we don’t always understand what cloud means. As a result, there tends to be a gap, where consumption is a lead indicator and security is an afterthought.” It is ill-defined in many people’s minds, Gordon adds. “Many people look at it as a marketing slogan or a marketing solution, but they don’t really get it. As a result, I think one of the biggest issues that we face, as security professionals in the cloud, is the idea of how to create a common ground in terms of what it is we are talking about and how we will frame conversation around risk, liability, security, and things that go with that.”

Yet a third challenge to effective understanding of the cloud is the change of mindset needed, especially among managers and decision makers who spent their early years in the company of mainframes, dumb terminals and internal networks. For many, there is a pervasive, almost instinctive sense that data and computing systems are physically safer when they exist inside the actual walls of a company where they can be seen and touched. The notion of storing data on someone else’s computer somewhere in the world just does not feel right. The truth is that data is generally safer when transferred to the vaults of a cloud organization whose sole mandate is secure storage, but adherence to ideas from an earlier age is a very human attribute; one that never fully disappears.

Mobile Employees

Finally, there is the relatively new phenomenon of mobile employees who see their smart devices as their office, and who expect to use them at home, at work, and in public spaces like coffee shops and transit terminals, accessing Wi-Fi connections with little thought as to security. This soft, boundary-less setting has a direct parallel to actual clouds. Where, after all, does work-related security begin and end, when the device being used shares storage space and connectivity with personal files and pursuits? Adam Gordon worries that enabling individuals to work productively in these non-traditional environments with equally non-traditional capabilities and platforms opens up a collection of unknowns in terms of security and the individualized approach to data.

The softness of the cloud reinforces the need for a new type of security specialist; someone with the experience and wisdom to stay on top of a fast changing environment, and with the skills to communicate the necessary directives to the executive as well as to the rest of the IT team. This is the reason behind the development of the CCSP designation. The cloud will only continue to grow in size and versatility. Successful usage must involve a sound and ongoing security strategy across all levels of operation.

For more on the CCSP certification from (ISC)2 please visit their website. Sponsored by (ISC)2.

The Face To Face Conundrum

Meetings have been a scourge on business productivity for many decades. British comedy genius John Cleese released a corporate training film back in 1976, entitled Meetings, Bloody Meetings, which not only became an instant classic, but spawned a sequel in 2012. The problems inherent in meetings are timeless and universal. And sadly, they take up way too much time. But things are changing.

Traditional Meetings Endangered Species List

A combination of factors now places the traditional meeting on the endangered species list. People no longer have the time or patience that they used to, and for the new generations of employees and managers who have grown up with sophisticated video gaming and unconstrained access to online resources, a tedious one-hour or longer meeting often fails to prove its worth. When that happens at the outset, engagement is sure to evaporate.

We have moved well past the era in which the only way to share ideas with a group of people was to corral them in the same room. Numerous options now exist from the good-old teleconference, to multi-screen video chat, through to virtual meetings using VR tools; but this leads to a conundrum: how important is physical presence to the efficacy of a meeting?

Many of us have participated in tele-meetings where Internet-based video conferencing– was available, but in which the participants still chose not to use the video component, opting solely for voice. For small meetings, this might be due to shyness or vanity – we don’t always look the way we want to, especially when working from home. There is also something decidedly disturbing about the “downwards glare,” where inexperienced video conference attendees look at the onscreen images of the other participants, rather than looking into their own camera. This creates an immediate sense of disconnection between people and points to the importance of eye-to-eye contact during discussion.

Body Language Cues

In multiple participant teleconferences, additional frustration comes about through the lack of body language cues, especially in regard to the rhythm of an actual conversation. We use facial or body gestures to signify comprehension of a point, as well as to signal our desire to speak. Such subtleties are lost when the visual component is missing or inadequate.

This does not mean that virtual meetings should not happen – they should. In fact, they should happen more often, since they save enormous amounts of time and money, and can actually be more productive than their analog counterparts, in most cases. What is critical is that the chairperson of a virtual meeting delivers and enforces an updated set of rules that ensure optimum behavior and synergy.

Firstly, if a company has access to a high-end video telepresence setup – using good video cameras and a bank of screens showing the other participants, then book this well ahead of time. These types of premium virtual meeting rooms are generally available in large organizations with numerous offices locations. They are not available to everyone, but they are worth it, since they offer the chance to see other people as if they were sitting across the table from you, and the 3D sound and video quality is generally superb. When these are not available, a phone or VOIP teleconference can do just as well, but the rules must be adjusted accordingly.

Go for “visual” whenever possible. Humans place greater trust in people when they can see who they are dealing with. They can also read body language cues, and frame the dynamic of the conversation accordingly. Instruct participants to spend a few minutes preparing, prior to the call. This doesn’t mean calling the stylists and makeup artists in, is simply means just allowing adequate light and establishing a desired visual look.

Photo Op

If video is not possible or not desired, then ensure photos are available. This could be as easy as inserting participant’s pictures on the meeting agenda (sent by email or posted in a meeting space.) A photo is a more controlled version of a person’s image, and although it does not allow for visual cues, it still flavors the dynamic of the conversation in a more human way.

Set up a system for side chats. It is very disturbing when people need to make a side comment while another person is speaking. Whispering is impossible on a conference call, but texting is easy. Whether this is done through an onscreen conference hub, or just texting to each other’s phones, this is an essential component of meeting dynamics that reduces interruptions while boosting synergy. It can also be used as a way of “raising your hand to speak,” by texting the chairperson from miles away.

There will always be some occasions which necessitate pulling people physically into a room for a meeting, but these are becoming fewer and fewer. The technology exists to bridge the obstacles put up by distance, time and money, but what is needed now is a revised mindset, that focuses pro-actively on the dynamics of human communication, and curates the available technologies to achieve the meeting’s intended goal. This way, Mr. Cleese will not have to make another sequel in 2018.

Cloud Security Demands Call For Credentialed Professionals

It is not possible to stare with absolute clarity into the future. None of us has a crystal ball. But there is certainty in knowing that the path to progress on which our future lies curves steeply upwards. Gordon Moore originated a concept, now called Moore’s Law, in 1965. It was intended to describe the constant doubling of processing power in semiconductor chips every two years in an exponential fashion. Although this law was originally designed to describe the progress of computer components, it has subsequently been adapted by numerous futurists to reflect the pace of human technological change in general.

Technologies such as the cloud, mobile devices, and the Internet of Things have not only increased collective processing power, but have also distributed it worldwide so that human beings from every corner of the planet can access and use the technologies. This is good news when efforts are applied to innovation and progress, but not so good news in terms of threats to network security.

Following the upward progression of Moore’s Law, security specialists face an ever-increasing variety and sophistication of attack vectors, happening 24 hours a day and mutating constantly. It becomes increasingly difficult to guard a castle when the attackers are so numerous, agile and versatile, but such is the life of the cloud security professional.

Cat And Mouse With Attackers

For many organizations, IT-related security professionals play a game of cat and mouse with attackers, and this is usually performed in reactive, firefighting mode. At a senior management level, a lack of true understanding of the severity and frequency of attacks, combined with perpetual concerns over costs, have left many organizations understaffed in this area. The problem with this scenario, much like it is in any war, is that strategies cannot be deployed without a higher level vision and a long-range plan. Security specialists who exist purely in firefighting mode represent common foot soldiers, marching or running toward battle but with little overarching strategy of how to outflank the enemies in a more decisive fashion.

Cloud security is a profession that, possibly more than most, cries out for effective time management. Deficiency in this skill is generally not because of any ignorance of its importance, but simply a result of the workload at hand. Most security specialists readily state that given their choice they would prefer to invest a portion of their working time to research, education, and preparedness planning. This, they feel, would lead to far more effective security protocols, both in terms of technological barriers and also in teaching employees the correct techniques and habits for safe computing, password management and general network security hygiene.

Assignment of time in this fashion is an ideal implementation of the Pareto principle, otherwise known as the 80/20 rule, in this case, pointing to the fact that more could be achieved by dividing the workload into two camps: planning and preparedness (20%), and then action and deployment (80%). Only by allowing time for research, review and strategy, can a security professional and the employer gain the upper hand in the constant battle with cloud-based enemies.

Malware Fridays

A simple example of the strategic clarity that the 80/20 principle can deliver is the Friday effect. Network security company Cyren pointed out recently that Fridays are the most dangerous days for the delivery of malware.

This is predicated on the fact that employees prefer to take their devices home with them for the weekend, and consequently turn to less-than-secure Wi-Fi connections for doing work and returning emails. When employees work outside a secure firewall, cyber criminals can exploit this weakness, leading people to unwittingly download malware, which is then reinserted into a company’s network upon their return to work on Monday. This type of strategy, which may appear fiendishly straightforward, has a pattern that can best be perceived through a higher level view, and is not available to be picked up by security specialists already overwhelmed by immediate crises.

Seeking Certified Professionals

As companies invest in cloud security, they should be seeking certified professionals, such as the Certified Cloud Security Professional (CCSP℠) from (ISC)2®, a global leader in information, cyber, software and infrastructure security certifications, who have the demonstrated experience, knowledge and skills to competently address the many challenges of this role – from reacting to threats to ongoing maintenance of secure cloud infrastructure to communicating effectively with business leaders. This is a lot to ask of any individual and, similarly, it is a lot to ask of a company: allowing time for the expert to prepare for the future while battling the present. It requires resources, and senior-level commitment.

The one constant, however, is that this will not change. In fact, it will only increase. A certified cloud security professional is there to establish and maintain appropriate defenses so organizations can benefit from the full power of cloud computing to grow their business.

For more on the CCSP certification from (ISC)2 please visit their website. Sponsored by (ISC)2.

From Surge Pricing To Surge Payments

In a very short period of time, Uber has emerged as a world-changing business philosophy that goes well beyond cars. It represents a new approach to crowdsource-based, on-demand service. It is changing the way companies look at the delivery of goods, in terms of direct delivery to a customer as well as to and from warehouses. It has already profoundly impacted the taxi industry, which has reacted with fear and anger at this brash new competitor, and which, in some cities at least, has already resulted in a lowering of base fares and an improved level of service. That’s what competition does.

As with many innovations, the Uber approach to individualized service is still developing. There are wrinkles yet to be ironed out, either by Uber or its own direct competitors, and one of these is the idea of surge pricing. Uber’s detractors have pointed to the free-market approach to pricing that Uber’s services seem to have demonstrated in times of great demand. Although Uber itself has commented on this, there is a simple fact to remember: Uber is not the only game in town. Customers are not obliged to pay any form of surge pricing due to some transit monopoly; there are other forms of transport always available.

The surge pricing model is a facet of free market economics, whether embraced by Uber or not. Any company that invokes it simply capitalizes on the fact that services have a value, and many factors, including convenience, status, or scarcity tend to raise that value, even if temporarily.

Traditional Payment Systems

So what happens when the Uber model gets applied to more traditional payment systems, like the net-30 or net-60 invoice payment structure? This multi-week delay between receipt of an invoice and the cutting of a cheque is central to the operations of many organizations in both the public and private sector. Many organizations base their cash flow and projections on this buffer, ensuring they reduce or eliminate exposure between input of revenue and outflow of expenses. For the last few decades there really has been no other way – at least any that are acceptable to the accounting department.

But in the age of Uber, this is changing. Some companies are starting to recognize that they can pay suppliers through credit card and PayPal, through electronic funds transfer, even using BitCoin, and they can do so within one hour or even one minute of receiving the invoice. The question is, why would any company want to do that, when they can hang on to their money for another month or more by staying with the traditional procedure?

Priorities Based On Immediacy Of Payment

The answer lies in Uber’s approach, which is simply a speeded up version of any free marketplace: you get what you pay for. Suppliers of goods and professional services may reconsider their business priorities based on immediacy of payment. They may simply become unavailable to any organization that cannot pay within minutes of delivery or completion.

This, then is not an immediate copy of surge pricing, since prices for the services have not increased, but it definitively points to an increase in overall cost to the buyer, when the most efficient – and therefore ultimately most economical – suppliers bow out of the supply chain in favor of more prompt-paying customers. The cost to a purchasing organization might not be in up-front dollars, but in the elimination of the ideal supplier.

This is already happening, and it promises to only increase. As companies seek to improve their productivity and competitiveness in line with the changing mobile-first economy, some of the more traditional aspects of running a business get left behind or taken for granted as the perpetual norm. However, in just the same way that Uber has shaken up the century-old world of taxis-for hire, the speed of payment ideal will change the traditional business-to-business playing field, modifying the value definition of a supplier to factor in its willingness to sell in real time versus the customer’s willingness to pay in real time. This must become part of any organization’s next five-year plan. The quality that they themselves seek to deliver to their customers will be entirely dependent on the quality of the suppliers with whom they work. And just like in the taxi industry, there are always other, cheaper resources available. The question is, will they take your company where it wants to go?

KPMG LLP is a Delaware limited liability partnership and is the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. The views and opinions expressed herein are those of the authors and do not necessarily represent the views and opinions of KPMG LLP.

The Blended Mindset

It has been a long time since a phone was just a phone. In fact, people start to show their age when they refer to their device as a “cellphone.” It is far more than that. The modern portable device is capable of infinite tasks, whether it draws upon its own internal assets, or through apps that work with the rest of the world via cellular or wireless. In its immensely portable versatility, business leaders can see the future of their organizations: people and machinery demonstrating blended and agile abilities rather than sticking to one specific talent.

The smartphone (also a dated term) is a hand-held tool for life. So too is the modern car. Hand-held through the steering wheel at least, its available phone and 4G technologies, along with USB ports and remote diagnostics, turn it into an office with wheels, adaptable to any industry, from farming to construction to accounting. In a few more years, as the Internet of Things takes root, other traditionally single-function devices, from refrigerators to hospital gowns, will play a more active and diverse role in communicating back and forth between suppliers and consumers, making decisions and guiding actions.

The transformation of these devices from one-trick-ponies to jacks-of-all-trades must not go unnoticed by company leaders, since it reflects two levels of progress: machine and human. In league with technological change, people too are becoming more versatile in their skills and approaches, rendering the traditional career path and organizational chart hierarchy somewhat redundant.

Take IT as an example. In earlier years, the IT department lived and worked in essential isolation, its employees using their wizardry to ensure that networks and personal computers functioned properly and safely. But in recent times, the IT manager has been given a wider range of responsibility. No company operating today can consider itself relevant if it does not offer IT and security executives a seat at the C-suite table. With an ever-increasing variety and sophistication of cyber-attacks, the necessity of migrating to the cloud and the pressure to translate commerce into an omni-channel universe, IT executives must offer strategic leadership advice in concert with the technical facts.

Employees too are becoming more diverse, not simply in age, culture or other demographic delineation, but in attitude and aptitude. This is why many employers are turning to social media to identify hidden talent. Whereas résumés and personality tests succeed in pegging individuals for certain jobs, a review of social media profiles tends to reveal latent talents that may otherwise go unnoticed. Leadership skills, emotional intelligence, creativity, comfort with risk and, most importantly, career self-determination paint pictures of individuals whose passions exist untapped, until discovered by reading between the lines on social media.

These “possessions” – like tiles that make up an individual personal mosaic – indicate skills and powers that an agile organization might see fit to employ for a certain task at a certain moment in time, without resorting to the traditions of seniority or process. This demands the same type of agility and versatility that exists within a mobile device.

More significantly, it matches the mindset demonstrated by the modern world’s most successful leaders such as Elon Musk and Steve Jobs. These individuals are mentioned often simply because they blend their fierce commitment to their sense of destiny, with a willingness to change and adapt to better ideas. This is the blended mindset that exists at the pinnacle of a successful company’s management structure, and which can and must be discovered and encouraged throughout the entire organization.

Human beings are very good at learning and adapting. Modern education need not enforce the traditional multi-year, Ivy-League style in order to yield practical skills and abilities; there are numerous online educational systems that give the knowledge away for free. Just like Elon Musk did with the code behind Tesla, openness and versatility continue to drive modern commerce.

Digital Social Transformation

It is very natural for those in positions of senior responsibility to greet the modern age of change with mistrust. But this is the age in which business is now being done. It will be of greater value for a company to shore up its presence on a growing social media platform – especially those favored by the younger generations, whose economic and social influence reaches every corner of the world economy – than to focus on more traditional mailing lists and CRM techniques from a decade ago. Business effectiveness in the next few years depends a great deal on a shift of mindset, from channels and hierarchies to an open concept, which pulls diverse and blending talents from all corners of a company’s human and technical resources to solve problems in real time and test them as they unfold.

Every time company leaders take their mobile phone out of their pocket, they should look at it anew. This is a device whose value exceeds the sum of its parts, and for which the telephone feature is merely a bit player. This is a blended device, and it has changed the world by virtue of its openness. And so will it be for businesses everywhere.

Social Media In The Workplace

Would you let your employees use social media on company time? The response to this question is usually an emphatic no. The reasons given make sense, at least on the surface: “People are here to work, not to play.” “We cannot trust our employees to not waste the entire day playing around online.” “The optics would be very bad for our customers.”

Indeed, people are hired to contribute their skills for the advancement of their employer. But there is a significant distinction between time spent at the desk and actual productivity. The end results of a task assignment are not a factor of the amount of time spent in front of a computer screen, but the quality of the effort exerted by the individual. That can vary greatly depending on time of day, stress levels, even what the employee ate for breakfast.

Productivity is a result of physiology, not of face time.

The Health Aspect

Access to social media during the workday offers at least one improvement, and that is in the area of mental focus and stamina. The human mind and body were never designed to work at a consistently high level of output for a sustained number of hours. We just cannot do that. Instead, we work best in bursts of energy punctuated by rest. By visiting a favorite social media site for just a couple of minutes per hour, employees benefit from a rhythm that feeds the mind and allows for greater amounts of productivity, accuracy, and creativity.

The crux of the issue becomes one of definition: what does “access” mean? Those who push back against the idea of social media in the workplace maintain a perception that employees will spend their entire day with one eye on their favorite web site, and their attention permanently divided. But that‘s not the only way. Companies that have succeeded in allowing social media into the workplace are those that have established a “best practice,” such as allowing just a few minutes per hour, with the employee accepting the responsibility of returning to work without needing to be told.

This brings forth two profound benefits.

The first is that this type of mental break fits in with the body’s natural rhythms and the individual employee’s personal attention span. Some people have attention spans of an hour or more, and can work for extensive periods. Most however have a limit that is well inside a one hour block, and exceeding it simply results in distraction, delay and/or procrastination.

Secondly, allowing access contributes to employee engagement and loyalty, whereas an outright ban damages the trust relationship. Employees like to feel respected, and being locked out of social media simply results in diminished motivation paired with an increased desire to move to greener pastures.

There is also a growing demand for employee wellness and work-life integration. With recent discoveries demonstrating that sitting for long periods per day presents the same types of health dangers as smoking and overeating, the pressures mount on employers to offer a balanced working environment, and this includes mental health as much as physical.

The Literacy Aspect

The term “literacy” in the current era encompasses more than just reading and writing. It involves the intellectual ability to parse information; to sort through huge amounts of incoming data, to determine what is relevant and what is not. People who are capable of doing this become capable of handling the high-speed, multi-level pressures of the modern workplace. Those who can produce the work required of them while having access to social media are generally going to be more agile and productive employees. For them, deprivation leads to distraction and frustration. The multimedia workplace is actually where they thrive.

The Optics

What about what the customers might think? If a customer walked through the office, and if they were to see a computer screen that had a social media site on it, what would they think of the organization?

This is a matter of great concern for employers. However, more and more businesses are answering this question by pointing to the quality of their products and their customer service. A growing number of modern businesses are succeeding not by caging employees, but by letting them live “free range,” working according to their personal and physiological needs. Customers need to experience– if they have not already– that environmental amenities such as social media contribute to quality rather than detract from it. And that is what customers seek.

It is a natural response from business owners to envision the risks in every new development that comes along. But so, too, their capacity for steering their company through the wind and waves of the marketplace demand agility and awareness. This includes recognizing the benefits in an upgraded workplace – one that includes access to social media.

KPMG LLP is a Delaware limited liability partnership and is the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. The views and opinions expressed herein are those of the authors and do not necessarily represent the views and opinions of KPMG LLP.

Cloud Security Insights From CCSP Pros

The age of cloud security gives rise to the somewhat mixed metaphor of a cat and mouse game played out on shifting sands. Cloud security professionals face a multidimensional conundrum as they try to keep pace with changing technologies, upgrades, internal political pressures, and of course external infiltration attempts. Danger can come from the outside or within. It can be mechanical, software driven, or the fault of human beings. And answering the call at the end of this long list of stresses and priorities is a hugely busy, often overworked security team.

So what do they have to say about it? We asked the CEO of (ISC)², a global leader in information, cyber, software and infrastructure security certifications, including the Certified Cloud Security Professional (CCSP℠), and two CCSP-certified security experts to share some of their knowledge and observations. What have they seen? What worries them, and what advice would they offer? Here are a few of their revelations.

Connecting Devices To The Cloud

“Everyone is migrating to the cloud,” says Adam Gordon, CCSP, and author and instructor for (ISC)². Through organizations, large and small, public sector and private, as well as millions of individual consumers, every device is connecting and interrelating with every other in ways that no one can accurately map. “The problem is, we don’t always understand what cloud means as we start to consume. As a result, there tends to be a gap where consumption is a lead indicator and security is an afterthought.” Gordon points out that the causes of major breaches can often be tracked to lax behavior on the part of individuals. “Do they understand the implications of allowing an application on their phone, to use the phone’s location services to provide location information to a cloud service? How is that being used? How is it being archived? How is it being tracked?” he asks.

People place a great degree of trust in their systems and their providers and, for Adam, this is not enough. “I think the mistake we make today, or that we have made historically, is we put faith into the provider and say, “they’re going to take care of it…” and we don’t verify. Adam prefers to embrace the phrase used by President Reagan during the 1987 arms control negotiations, and taken from a traditional Russian proverb: trust but verify. “If you take the trust but verify approach, we come up with a solution that actually leads to cloud security. If we just trust, but don’t verify, I think we’re in for some nasty surprises along the way.”

Constant Monitoring Critical

These concerns are echoed by Pat (a pseudonym), a CCSP-certified cyber strategist with a federal government department, who points out that a disturbing lack of cohesive policy makes security efforts much harder. “There is very little foundation for cloud environments right now,” Pat says, “the best things out there actually come from the vendors (as opposed to internal), but each vendor has different kinds of priorities. This makes it hard to determine what the threats are, as well as identifying what you don’t know about this environment.” Pat mentions that although external hacking gets the lion’s share of media attention, sometimes the problems come from more day-to-day maintenance activities. “Every time there is an update to your operating system, and you are running software, they can change your actual security configurations. You have to be constantly going back and reviewing what’s going on, and scanning your systems, and seeing what vulnerabilities that previously had been closed have been reopened again; and that is a constant battle.”

Pat’s main recommendations for striving toward a more secure cloud-connected IT system are a common nomenclature and a wider vision. “In the CCSP training class, I found it highly beneficial to address the naming conventions of how we talk about the cloud-based environments,” Pat says. “You have to understand all those terms and work them through your head in order to have meaningful conversations.” In addition, there is a need for a defined set of policies, and dependable and thorough processes. For example, when an organization performs an internal audit, they should not simply audit the outcomes of a system’s configuration, but rather they should also audit the process to make sure that people are doing things in a way that consistently reaches management’s expected outcomes. Once again, this means understanding the actions of people, along with the technology.

Compounding the challenges for organizations and their security specialists is convergence, says David Shearer, CEO, (ISC)². People often see expansion, in terms of the increasing numbers of devices and technologies connecting to the global Internet. But at the same time, there is “convergence of literally every engineering discipline on the planet, such as mechanical, electrical, software, biomedical, and chemical,” resulting in a cross pollination of protocols and systems through which abuse and contagion have the potential to run rampant.

All three experts agree that the establishment of a common lexicon and culture of clear, proactive communications, paired with both mechanical and corporate awareness, is essential for helping to maintain secure systems, both locally and globally. This commonality and vision must be embraced throughout all managerial levels, reaching right to the top.

For more on the CCSP certification from (ISC)² please visit their website. Sponsored by (ISC)².

Learning To Code As many readers may or may not know we cover a fair number of topics surrounding new technologies such as Big data, Cloud computing , IoT and one of the most critical areas at the moment – Information Security. The trends continue to dictate that there is a huge shortage of unfilled…

The Financial Services Cloud Fintech investment has been seeing consistent growth in 2015, with some large moves being made this year. The infographic (Courtesy of Venturescanner) below shows the top Fintech investors and the amount of companies they’re currently funding: Just this week, a financial data startup known as Orchard Platform raised $30 million in…

How to Identify and Authenticate in the Expanding IoT Ecosystem It is a necessity to protect IoT devices and their associated data. As the IoT ecosystem continues to expand, the need to create an identity to newly-connected things is becoming increasingly crucial. These ‘things’ can include anything from basic sensors and gateways to industrial controls…

The Future (IoT) By the year 2020, it is being predicted that 40 to 80 billion connected devices will be in use. The Internet of Things or IoT will transform your business and home in many truly unbelievable ways. The types of products and services that we can expect to see in the next decade…

5 Ways The Internet of Things Will Drive Cloud Growth The Internet of Things is the latest term to describe the interconnectivity of all our devices and home appliances. The goal of the internet of things is to create universal applications that are connected to all of the lights, TVs, door locks, air conditioning, and…

Teach Yourself The Cloud Learn how to get to grips with cloud computing in business Struggling to get your head around the Cloud? Here are five easy ways you can improve your cloud knowledge and perhaps even introduce cloud systems into your business. Any new technology can appear daunting, and cloud computing is no exception.…

M2M, IoT and Wearable Technology Profiling 600 companies and including 553 supporting tables and figures, recent reports into the M2M, IoT and Wearable Technology ecosystems forecast opportunities, challenges, strategies, and industry verticals for the sectors from 2015 to 2030. With many service providers looking for new ways to fit wearable technology with their M2M offerings…

Cloud Security Missteps Cloud computing remains shrouded in mystery for the average American. The most common sentiment is, “It’s not secure.” Few realize how many cloud applications they access every day: Facebook, Gmail, Uber, Evernote, Venmo, and the list goes on and on… People flock to cloud services for convenient solutions to everyday tasks. They…

The Evolving Cloud From as early as the onset of modern computing, the possibility of resource distribution has been explored. Today’s cloud computing environment goes well beyond what most could even have imagined at the birth of modern computing and innovation in the field isn’t slowing. A Brief History Matillion’s interactive timeline of cloud begins…

Education Technology Although technology has fast influenced most sectors of our world, education is an area that’s lagged behind. Many classrooms still employ the one-to-many lecturing model wherein the average student is catered for while a few are left behind, and others bored. Recently, there’s been a drive to uncover how to use technology successfully…

Secure Third Party Access Still Not An IT Priority Research has revealed that third parties cause 63 percent of all data breaches. From HVAC contractors, to IT consultants, to supply chain analysts and beyond, the threats posed by third parties are real and growing. Deloitte, in its Global Survey 2016 of third party risk, reported…

DDoS Attacks October 21st, 2016 went into the annals of Internet history for the large scale Distributed Denial of Service (DDoS) attacks that made popular Internet properties like Twitter, SoundCloud, Spotify and Box inaccessible to many users in the US. The DDoS attack happened in three waves targeting DNS service provider Dyn, resulting in a total of about…

The Digital Twin How smart factories and connected assets in the emerging Industrial IoT era along with the automation of machine learning and advancement of artificial intelligence can dramatically change the manufacturing process and put an end to the dreaded product recalls in the future. In recent news, Samsung Electronics Co. has initiated a global…

Revenue Imperatives “Follow the money” is always a good piece of advice, but in today’s recurring revenue-driven market, “follow the customer” may be more powerful. Two recurring revenue imperatives highlight the importance of responding to, and cherishing customer interactions. Technology and competitive advantage influence the final two. If you’re part of the movement towards recurring…

The 80-20 Rule For Security Practitioners Everyday we learn about yet another egregious data security breach, exposure of customer data or misuse of data. It begs the question why in this 21st century, as a security industry we cannot seem to secure our most valuable data assets when technology has surpassed our expectations in other regards.…

Enterprise File Sharing Solution Businesses have varying file sharing needs. Large, multi-regional businesses need to synchronize folders across a large number of sites, whereas small businesses may only need to support a handful of users in a single site. Construction or advertising firms require sharing and collaboration with very large (several Gigabytes) files. Financial services…

Five Requirements for Supporting a Connected Workforce It used to be that enterprises dictated how workers spent their day: stuck in a cubicle, tied to an enterprise-mandated computer, an enterprise-mandated desk phone with mysterious buttons, and perhaps an enterprise-mandated mobile phone if they traveled. All that is history. Today, a modern workforce is dictating how…

The Security Gap You’re out of your mind if you think blocking access to file sharing services is filling a security gap. You’re out of your mind if you think making people jump through hoops like Citrix and VPNs to get at content is secure. You’re out of your mind if you think putting your…

The Legal Battle For Privacy In early June 2013, Edward Snowden made headlines around the world when he leaked information about the National Security Agency (NSA) collecting the phone records of tens of millions of Americans. It was a dramatic story. Snowden flew to Hong Kong and then Russia to avoid deportation to the US,…